So this would require a list of decided malicious extensions or not and someone can go ahead and check through that.

To find the list of decided malicious extensions, I can imagine that a github repository where people can create issues about the lack of safety (like imagine some github repo where this case could've also been uploaded) and people could discuss and then a .txt/json file could be there in the repo which gets updated every time an extension is confirmed to be malicious.

Thoughts?

Edit: (To take initiative?) I have created a git repo with this https://github.com/SerJaimeLannister/unsafe-extensions-list but I would need some bootstrap list of malicious extensions. So I know nothing about this field and the only extension I can add is this one maybe but maybe someone can fork this idea (who is more knowledgable within the extension community space) or perhaps they can add entries into it.

Edit 2: Looks like qcontinuum actually have a github repo and I hadn't read the article while I had written the comment but its not 1 extension but rather 287 extensions and they have mentioned all in their git repo

https://github.com/qcontinuum1/spying-extensions

So they already have a good bootstrapped amount & I feel as if qcontinuum is interested they can maybe implement the idea?

▲

qcontinuum1 4 hours ago | parent [-]

> So they already have a good bootstrapped amount & I feel as if qcontinuum is interested they can maybe implement the idea?

We might to it once. That requires non-trivial engineering effort and resources and we are at the moment short on both of those.

▲

Imustaskforhelp 3 hours ago | parent [-]

My point was to have a community effort around it as well if possible and people could say, upload suspicion and people could then confirm it?

I am curious but wouldn't this effort be more better if more people outside who are interested in investing their own resources for the safety of a better internet could help you out in such endeavour? So essentially they can also help you out in such task essentially creating an open source-ish committee/list which can decide it.

I do feel like if resources are something in short, then actually doing such would be even more beneficial, right? What are your thoughts on it?

(Tangent if you actually do this: This might become a cat and mouse game if the person with malicious extension say reads the github repo and if they see their extension in it before people can conclude its malicious, making the cat and mouse game but I am imagining a github action which can calculate the hash and download link and everything (essentially archiving) a state of extension and then people can get freed from the game and everything as well. So this might help a lot in future if you actually implement it)

▲

qcontinuum1 2 hours ago | parent [-]

It is a noble idea to have a community driven effort in security research. We are sceptical that would work. The same way security researchers will read this thread in future bad actors (e.g. Similarweb) can read as well.

Any tool that would be open sourced or community driven for extension scanning will be with enough time used by bad actors to evade the scans. That is also why we don't share the code for this research as it would only speed up this process.

	▲	Imustaskforhelp 2 hours ago \| parent [-]
		Oh I understand. I don't have any expertise in such field but reading this, I can understand why open source approach might not work out which is a little sad being honest. But I feel like then the (bottleneck?) [which I don't mean in a bad way] would be the team where the attackers might still be infinitely more which can exhaust your resources which you mention as such. Also,Are there any other teams working in this? Thoughts on collaborating with anyone in the security field? Maybe if a direct detailed discussion can't happen then just as how you released the list of these extensions, you can release extensions in future too as you detect them Do you feel as if LLM generated vibe-coded (with some basic reading of code to just get idea and see if there's any bad issues) would be more safer than a random extension in firefox/chrome in general? Given one is a black box (closed source) generated by human and the other is an open code generated by a black box.